DS record returned by dig is different than in DNSSEC cloudflare settings

What is the name of the domain?

boomerobjevuje.cz

What is the issue you’re encountering

Mismatch between expected and actual DS record for DNSSEC on Cloudflare

What feature, service or problem is this related to?

DNSSEC

What are the steps to reproduce the issue?

In the Cloudflare DNSSEC configuration, the following DS record is shown:

boomerobjevuje.cz. 3600 IN DS 2371 13 2 A34E5F9E5A97B34A241C00AE0C41056CEC12B5EDACFF5BA153EBDB20B2D76839

The domain is under the .cz TLD, and according to the documentation, Cloudflare automatically publishes DS records for domains using either Cloudflare Registrar or those under the .cz and .ch TLDs:

“Cloudflare automatically adds DS records for domains using Cloudflare Registrar or those using .ch and .cz top-level domains.”

However, when I query the current DS record using dig, I get a different DS record:

dig DS boomerobjevuje.cz +dnssec

;; ANSWER SECTION:
boomerobjevuje.cz. 3197 IN DS 2370 13 2 2F7B502978733AB76C0FFD847CCB204DF3532B95E72C04006612F439 A2529D59

This indicates a mismatch between the DS record that Cloudflare expects (key tag 2371) and the one currently published in the parent .cz zone (key tag 2370).

Where is the problem coming from, and how can I ensure the correct DS record (from Cloudflare) is published?

May I ask was DNSSEC disabled and DS record removed prior moving to Cloudflare and changing domain nameservers to the assigned ones for your CF account?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.